tijoparacka commented on code in PR #13245:
URL: https://github.com/apache/druid/pull/13245#discussion_r1011770709
##########
docs/development/extensions-core/druid-basic-security.md:
##########
@@ -182,24 +333,131 @@
druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic
The examples in the rest of this article use `MyBasicMetadataAuthorizer` or
`MyBasicLDAPAuthorizer` as the authorizer name.
#### Properties for Druid metadata store user authorization
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`|If
true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.|true|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`|The
timeout in milliseconds for the cache notifications.|5000|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`|The
initial admin user with role defined in initialAdminRole property if specified,
otherwise the default admin role will be assigned.|admin|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`|The
initial admin role to create if it doesn't already exists.|admin|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`|The type
of role provider to authorize requests credentials.|metadata|No
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`**
+
+If true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.<br>
+ **Required**: No<br>
+ **Default**: true
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`**
+
+The timeout in milliseconds for the cache notifications.<br>
+ **Required**: No<br>
+ **Default**: 5000
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`**
+
+The initial admin user with role defined in initialAdminRole property if
specified, otherwise the default admin role will be assigned.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`**
+
+The initial admin role to create if it doesn't already exists.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`**
+
+The type of role provider to authorize requests credentials.<br>
+ **Required**: No<br>
+ **Default**: metadata
#### Properties for LDAP user authorization
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`|If
true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.|true|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`|The
timeout in milliseconds for the cache notifications.|5000|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`|The initial
admin user with role defined in initialAdminRole property if specified,
otherwise the default admin role will be assigned.|admin|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`|The initial
admin role to create if it doesn't already exists.|admin|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`|The
initial admin group mapping with role defined in initialAdminRole property if
specified, otherwise the default admin role will be assigned. The name of this
initial admin group mapping will be set to adminGroupMapping|null|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`|The type of
role provider (ldap) to authorize requests credentials.|metadata|No
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`|Array
of LDAP group filters used to filter out the allowed set of groups returned
from LDAP search. Filters can be begin with *, or end with ,* to provide
configurational flexibility to limit or filter allowed set of groups available
to LDAP Authorizer.|null|No|
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`**
+
+If true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.<br>
+ **Required**: No<br>
+ **Default**: true
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`**
+
+The timeout in milliseconds for the cache notifications.<br>
+ **Required**: No<br>
+ **Default**: 5000
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`**
+
+The initial admin user with role defined in initialAdminRole property if
specified, otherwise the default admin role will be assigned.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`**
+
+The initial admin role to create if it doesn't already exists.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`**
+
+The initial admin group mapping with role defined in initialAdminRole property
if specified, otherwise the default admin role will be assigned. The name of
this initial admin group mapping will be set to adminGroupMapping<br>
+ **Required**: No<br>
+ **Default**: null
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`**
+
+The type of role provider (ldap) to authorize requests credentials.<br>
+ **Required**: No<br>
+ **Default**: metadata
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`**
+
+Array of LDAP group filters used to filter out the allowed set of groups
returned from LDAP search. Filters can be begin with *, or end with ,* to
provide configurational flexibility to limit or filter allowed set of groups
available to LDAP Authorizer.<br>
+ **Required**: No<br>
+ **Default**: null
+
+#### Properties for LDAPS
+
+Use the following properties to configure Druid authentication with LDAP over
TLS (LDAPS). See [Configure LDAP authentication](../../operations/auth-ldap.md)
for more information.
+
+**`druid.auth.basic.ssl.protocol`**
+
+SSL protocol to use. The TLS version is 1.2.<br>
+ **Required**: Yes<br>
+ **Default**: tls
+
+**`druid.auth.basic.ssl.trustStorePath`**
+
+Path to the trust store file.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
+
+**`druid.auth.basic.ssl.trustStorePassword`**
+
+Password to access the trust store file.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
+
+**`druid.auth.basic.ssl.trustStoreType`**
+
+Format of the trust store file. For Java the format is jks.<br>
+ **Required**: No<br>
+ **Default**: jks
+
+**`druid.auth.basic.ssl.trustStoreAlgorithm`**
+
+Algorithm used by the trust manager to validate certificate chains.<br>
+ **Required**: No<br>
+ **Default**: N/A
+
+**`druid.auth.basic.ssl.trustStorePasswordProvider`**
+
+[Password provider](./operations/password-provider.md) that enables access to
the trust store.<br>
+ **Required**: No<br>
+ **Default**: N/A
+
+Example LDAPS configuration:
+
+```json
+druid.auth.basic.ssl.protocol=tls
+druid.auth.basic.ssl.trustStorePath=/usr/local/druid-path/certs/truststore.jks
+druid.auth.basic.ssl.trustStorePassword=xxxxx
+druid.auth.basic.ssl.trustStoreType=jks
+druid.auth.basic.ssl.trustStoreAlgorithm=PKIX
+druid.auth.basic.ssl.trustStorePasswordProvider=myPasswordProvider
Review Comment:
In my knowledge there is no parameter as
`druid.auth.basic.ssl.trustStorePasswordProvider` but
druid.auth.basic.ssl.trustStorePassword itself is the passowrd provider .
For providing password in clear text use as
`druid.auth.basic.ssl.trustStorePassword =<password in clear text>`
if the password is to be given with a password provider eg Environment
Variable Password Provider then use the parameter as
`druid.auth.basic.ssl.trustStorePassword ={ "type": "environment", "variable":
"PASS_ENV_VARIABLE" }`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
